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Abstract —Cyber literacy merits serious research at¬ 
tention because it addresses a confluence of specialization 
and generalization; cybersecurity is often conceived of 
as approachable only by a technological intelligentsia , 
yet its interdependent nature demands education for a 
broad population. Therefore, educational tools should 
lead participants to discover technical knowledge in an 
accessible and attractive framework. In this paper, we 
present Protection and Deception ( P&G ), a novel two- 
player board game. P&G has three main contributions. 
First, it builds cyber literacy by giving participants 
“hands-on” experience with game pieces that have the 
capabilities of cyber-attacks such as worms, masquerad¬ 
ing attacks/spoofs, replay attacks, and Trojans. Sec¬ 
ond, P&G teaches the important game-theoretic con¬ 
cepts of asymmetric information and resource allocation 
implicitly and non-obtrusively through its game play. 
Finally, it strives for the important objective of security 
education for underrepresented minorities and people 
without explicit technical experience. We tested P&G at 
a community center in Manhattan with middle- and high 
school students, and observed enjoyment and increased 
cyber literacy along with suggestions for improvement 
of the game. Together with these results, our paper 
also presents images of the attractive board design and 
3D printed game pieces, together with a Monte-Carlo 
analysis that we used to ensure a balanced gaming 
experience. 

Index Terms —Cyber literacy, security awareness, cy¬ 
bersecurity, deception, board game 

I. Introduction 

Cybersecurity has been directly in the limelight 
of contemporary media. The Sony Pictures Entertain¬ 
ment hack over the controversial film The Interview , 
the infamous debut of the Snowden Revelations and 
ensuing debate, and important security breaches at 
The Home Depot and Target Corporation have made 

Department of Electrical and Computer Engineering, Polytechnic 
School of Engineering, New York University, Brooklyn, NY 11201. 
{sz903, jp3122, js6160, jpawlick, quanyan.zhu} @nyu.edu 

This work was supported in part by the New York University Pro¬ 
totyping Fund, a collaborative program offered by the Greenhouse 
at NYU and the NYU Entrepreneurial Insitute. 

It was also supported in part by an NSF IGERT grant through 
the Center for Interdisciplinary Studies in Security and Privacy 
0 CRISSP ) at NYU. 


national news at all levels of society. The U.S. Federal 
Government’s commissions of reports on big data and 
privacy m and bulk collection of signals intelligence 
m - together with the surging interest in cyberse¬ 
curity from academic and commercial perspectives - 
suggests an intense effort to combat cybercrime from 
the top-down. But cybersecurity is an interdependent 
phenomenon. This interdependency demands cyber 
literacy that branches out from technology compa¬ 
nies and computer science schools to consumers of 
the technology that they develop. It also requires a 
grassroots effort at igniting interest in cyber-careers 
as an investment in tomorrow’s human capital. 

Serious games offer a promising means to overcome 
the intimidating nature of learning about cybersecurity. 
Because it is difficult to perceive how security threats 
affect individuals, and because cyber experience and 
vocabulary are not well-integrated among those in 
non-technical fields, cybersecurity can seem to pose 
a high barrier to entry |4). Serious games employ the 
entertainment value of games towards accomplishing 
distinct educational objectives. They sit upon an inter¬ 
section between engineering, science, and education. 
Our work is a serious game with the objectives of 
answering such basic questions as “What is a mas¬ 
querading attack?” and “How is a local area network 
different from the internet?” 

Several recent educational efforts have promise for 
technical professionals or aspiring STEM students. 
Proliferating Capture the Flag (CTF ) competitions 
have placed security education in a non-technical envi¬ 
ronment. An application of gamification , they leverage 
the enjoyable properties of games in a real-life security 
challenge. But they may not be appropriate for novice 
participants. They do not (at least yet) especially 
represent an outreach of security education beyond the 
STEM fields and into populations underrepresented in 
technical fields. Games are needed that feature a gentle 
introduction to cyber-security; one that helps build 
cyber literacy without intimidation and teaches other 
concepts relevant to cybersecurity only implicitly. 

In this work, we present Protection and Deception 
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( P&G ), a two-player board game that combines a 
turn-based chess-like structure with elements such 
as infrastructure configuration that are characteristic 
of real-time strategy games. The basic gameplay is 
simple and follows a storyline related to cybersecurity. 
In P&G , both players configure local area networks 
(LANs) and allocate attack and defense packages. 
They hide “critical information” on one of their 
computers. Then, gameplay evolves in a sequence of 
turns in which players deploy attacks and navigate 
them through the network. Throughout the game, 
players learn about attack capabilities. They also face 
trade-offs between brute strength and maintaining 
information-assymetry - as when deciding whether to 
surveil an opponent’s LAN with a weak attack. Players 
achieve victory when they destroy the opponent’s 
computer containing the critical information. 

P&G offers a gentle introduction to cyber literacy. 
Explicit cyber-jargon is limited to various types of 
cyber attacks: e.g ., viruses, Trojans, masquerading 
attacks and worms. The rest of the gameplay has 
parallels in traditional board games - although there 
are some parallels to collectable card games (e.g. 
Magic: The Gathering and Yu-Gi-Oh!). In this way, 
P&G attempts to lower the learning curve for serious 
security games so that they can reach populations 
outside of corporations or the university. 

Indeed, we tested this game at a community center 
on the lower-east side of Manhattan. We found both 
encouraging results - in terms of interest in the game 
and acquired knowledge - and elements of the game 
that need to be improved and further simplified in 
order to attract young players. We were also inspired 
towards future work in digitalizing the game or pro¬ 
viding game instructions in the form of a YouTube 
video. 

The rest of the paper proceeds as follows. Section 
[II] describes the gameplay of P&G in detail. We were 
especially intrigued by one aspect of the gameplay 
design: attempting to balance the capabilities of cyber¬ 
attacks and defense packages. Towards this end, we 
created a Monte-Carlo simulation which we describe 
in Section III Section [TV] describes our playtesting 
proceedure and observations. Finally, we conclude the 


paper in Section VI 


II. Gameplay 

Protection and Deception (P&G) is a two-player 
board game. The goal is of the game is to locate 
and destroy the opponent’s computer that holds his 
critical information. This task is achieved through a 
combination of effective local area network (LAN) 
design, intelligent deployment of attacks and defenses, 
and quickly routing attacks and defenses to their 
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Figure 1. Basic board layout. Each player configures her own 
local area network, and connects via routers to the public internet. 
Network configuration is an optimization experience in which 
players need to make trade-offs between capabilities to defend 
critical information, utilize deception (hide critical information in 
unexpected computers), and rapidly deploy attacks. 
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Figure 2. Basic board layout with three computers connected via 
mesh points and links 


intended target. This requires balancing strength with 
maintaining the ability to deceive the other player. The 
first stage of P&G consists of LAN configuration. 

A. LAN Configuration 

Each player controls the following pieces: 

1) 4 routers 

2) 8 computers 

3) 8 mesh points 

4) 16 links 

5) Deck of attack and defense cards 

There are three components to the platform of the 
board game as shown in Fig. [T] 

Each player will have a Local Area Network (LAN), 
which is essentially her base. The players configure 
these LANs. The board that is in the middle of the 
two LANs is the public Internet, which has static 
configuration. 

The game begins with each player setting up her 
own LAN. A network topology consists of routers, 
computers, mesh points, and links. A mesh point is 
essentially a way to link two computers directly. Fig. 
[2] represents a sample network topology for Player A 
of three computers connected with the use of three 
mesh points. 

Each player creates a network topology that consists 
of 8 computers, at least 4 mesh points and at most 8 
mesh points, and 4 routers, which are accompanied by 
4 routing links and must be connected to at least four 
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Figure 3. Sample configuration of LANi. The red computer holds 
critical information. The routing links are represented with green 
lines, while the computers are linked to each other or to mesh points 
with red lines. 



Front 


Figure 4. Sample attack card: Worm Attack 


mesh points. A router is used to connect computers to 
the public Internet. The 16 links are used in order 
to connect a computer to a computer, a computer 
to a mesh point, or a router to a mesh point. Each 
computer must use 2 to 3 links to connect to another 
computer or mesh point. Fig. [3] is a sample network 
topology. The routing links are represented with the 
green lines. In Fig. [3} the computers are linked to other 
computers or mesh points with the use of red links. 
After each player sets up his or her network topology, 
each player must designate one computer out of the 
eight computers as the computer that holds “critical 
information”. In Fig. [3j the computer that holds the 
critical information is colored in red. 

Each router is connected to the public Internet with 
the use one link (in yellow in Fig. [3j. Once each player 
has set up her network topology and decided on the 
computer that holds “critical information,” each player 
allocates the deck of attack and defense cards. Each 
computer, besides the computer that holds “critical 
information,” is assigned one attack card and one 
defense card. The next two subsections describe the 
attacks and the defense packages. 


B. Attacks 

Each attack card features a different type of attack. 
These attacks can be spawned from the computers 
equipped with the attack card. Fig. [4] depicts an image 
of one of the attack cards. 

1) Worm - takes down a piece and then replicates 
if a host is taken down 

2) Masquerading Attack/Spoof - propagates 
throughout a network without attacking a 
particular piece 

3) Denial of Service (DOS) Attack - stops traffic 
within a mesh point. 

4) Virus - attacks a computer and then the piece is 
reset 


5) Replay - captures a packet and does not let it 
propagate throughout the network 

6) Trojan - reveals the defenses that a particular 
computer has installed. A Trojan is also coupled 
with a weak level virus 

7) Modification Message - changes the type of 
message/attack a computer sends. If this attack 
comes across the opponent’s attack at a node in 
the Internet, it can randomly select a different 
type of attack 


C. Defense Packages 


Players also equip computers with a defense pack¬ 
age. The defense packages differ in terms of which 
attacks they block. We have counterbalanced these 
packages in order to prevent any one attack from 
becoming exceptionally powerful. (See Section III) 
Fig. [5] depicts one of the defense package cards. 


1) Defense Package 1 - Blocks worm, replay, and 
masquerading attack/spoof 

2) Defense Package 2 - Blocks worm, denial of ser¬ 
vice (DOS), and modification message attacks 

3) Defense Package 3 - Blocks worm, virus, and 
Trojan attacks 

4) Defense Package 4 - Blocks worm, modification 
message, and masquerading attack/spoof 

5) Defense Package 5 - Blocks worm, Trojan, and 
DOS attacks 

6) Defense Package 6 - Blocks virus, replay, and 
masquerading attack/spoof 

7) Defense Package 7 - Blocks Trojan, replay, and 
DOS attacks 

8) Defense Package 8 - Blocks Trojan, replay, and 
modification message attacks 


On every turn, each player is allowed to make 
one move. A move is defined as either spawning an 
attack or moving an attack one unit. An attack piece 
is represented as a ring. When a player spawns an 
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Figure 5. Sample defense package card: Defense Package 1 

attack piece, she simply places the ring on top of 
the appropriate computer. An attack that is in a LAN 
follows the configured links. An attack that is in the 
public Internet moves along the sides of the squares. 
The attack is allowed to move either horizontally (left 
or right) or vertically (up or down). Each player does 
not know what the other player’s moving attacking is. 
An attack is revealed under one of two conditions: 

1) A player attacks the opponent’s attack 

2) A player attacks the opponent’s computer 

A defense package is revealed if an attack is conducted 
on a computer. Below is a sample gameplay: 

1) Player A has a worm attack. Player A attacks 
Player B’s computer. 

2) Player B reveals the Defense Package that is 
assigned to the particular computer that is at¬ 
tacked: Defense Package 1. 

3) Defense Package 1 is able to defend against a 
Worm, Replay, and Masquerading Attack/Spoof. 
Therefore, Player A’s worm attack is destroyed. 

If an attack attacks a computer and the computer 
is successfully able to defend against the attack, the 
attack is destroyed. However, although the attack is 
destroyed, it can still be spawned from the starting 
point, which is the computer that the attack originated 
from, on another turn. If an attack attacks a computer 
and the computer is unable to defend against the 
attack, the computer is destroyed. The game ends 
once one player discovers and destroys the opponent’s 
computer that holds the “critical information”. 

III. Simulation and Strategy 

Every game requires fairness for a balance of good 
gameplay. No single attack should dominate to the 
point where the game ends quickly. In this section, we 
first describe the results of a simulation that we used to 
balance the capabilities of the attacks and the defense 
packages, and then we describe a strategy that might 



Figure 6. LAN topology used for Monte-Carlo simulation. In 
this simulation, we ran different attacks against different possible 
configurations of the defense packages. We ultimately designed the 
defense packages based on the configurations that created the most 
equal performance for the different attacks. 

be employed based on insight from this simulation 
design process. 

A. Simulation for Design 

Flow is a notion developed by psychologists to 
describe a mental state in which one is completely 
involved in an activity for its own sake [1]. It is 
characterized as an activity where time flies. Fairness 
in a game is essential to induce flow (6). We wanted 
to allocate defense capabilities such that no single 
attack was able to dominate. In order to do this, 
we simulated virus and worm attacks against a fixed 
network topology for different allocations of defense 
package^] This gave us a mapping from (number of 
defenses with the ability to block viruses) to (number 
of computers that a virus would likely destroy), and 
it gave us a similar mapping for worms. We then 
used the inverse of this mapping to allocate the 
capabilities of defense packages such that viruses and 
worms would be likely to destroy the same number of 
computers. 

For the Monte Carlo simulation, we used the fol¬ 
lowing topology in Fig. [6] one that is within limits 
and is symmetrical in nature. 

For the random simulations, a random routing point 
was chosen from a uniform distribution. The virus was 
simulated such that it would not revisit nodes if it had 
the potential to explore unvisited nodes. The worm had 

1 We simulated virus and worm attacks because they have least 
and most powerful special attack properties, respectively. The virus 
has no special attack power, while the worm has the power to 
continue to propagate if it is not destroyed. We allocated defenses 
against the other attacks by assuming that their special attack 
properties lie somewhere between those of the virus and worm. 
Thus, we configured between two defense packages (the number 
which were endowed with the ability to block viruses) and five 
defense packages (the number configured with the ability to block 
worms) with the ability to block the other attacks. 
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Virus Attack Propogation Monte Carlo 



Number of Defenses to Block Virus 


Figure 7. Number of computers destroyed by virus attack versus 
number of defenses equipped with the ability to block the virus. For 
instance, if four defenses were to be configured with the capability 
to block the virus, then the average virus attack would destroy 
approximately one computer. 



Worm Attack Propogation Monte Carlo 



Number of Defenses to Block Worm 


Figure 8. Number of computers destroyed by worm attack versus 
number of defenses equipped with the ability to block the worm 


the capability to visit all nodes. For each number of 
defenses ranging from 0 to 8, 1000 simulations were 
done to average the number of nodes destroyed. Figs. 
[7] and [8] depict the results of these simulations. 

Figs. 0 and [8] show that to give the virus and worm 
similar strengths, the number of defenses that protect 
against viruses should be less than that of worms. 
Based on the figures, four defense packages should 
be equipped with the ability to block worms and two 
with the ability to block viruses. This makes each able 
to destroy approximately 2.5 computers on averag^] 

Based on the results of this simulation, the next 
subsection describes a sample strategic consideration 
that players might use to build a LAN and allocate 
defense packages. 


B. Strategy 

Clearly there are some implicit guidelines for mak¬ 
ing a topology. For instance, it seems unwise to leave 
a direct path without worm defense to the critical 
computer. Such topologies arise in automatic wins 
if the correct attack is carried out. One particular 
defensive strategy that could be used is to create two 
communities. 

The topology in Fig. [9] is an example of a dual¬ 
community topology. A community could be defined 
as a concentration of nodes with a high degree of inter¬ 
connectivity. This dual-community topology in Fig. [9] 
also has the property that it forces attacks through 
certain computers on the way to computer number 8, 
in which the critical information is maintained. As a 
result, there are no short routes to get to node 8. 

We conducted a simulation to analyze the effective¬ 
ness of this topology. The results of this simulation are 
shown in Fig. [TO| which shows that fewer computers 
were eliminated on average for the same defensive 
configurations for the long dual-community strategy 
than for the default strategy. 

From an offensive standpoint, an attack strategy 
might be to send out 4 attacks simultaneously. The 
attack that has the least probability of being defended 
against will attack a node. Once this node is attacked 
the defenses of that node are now known. If it suc¬ 
cessfully defends against one attack, the player has at 
least one other attack to take out this node. In fact, 
this method of attack is very effective when using the 
first attacker to be a virus because there are only two 
defenses against viruses. 


2 The first iteration of defense packages used preliminary simu¬ 
lation results. Thus, in the allocations discussed in Section [n] there 
are five rather than four defense packages equipped with the ability 
to block worms. 


C. Implicit Game-theoretic trade-offs 

Besides explicitly teaching players basic cyber liter¬ 
acy, P&G also aims to give them implicit experience 
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Worm Attack Propogation Monte Carlo 



Figure 10. Computer casualties with default versus robust defense 
configurations 

in game-theoretic optimization. This optimization is 
apparent in network configuration for defense and 
selecting optimal attack strategies. 

The defensive network strategy embodied by the 
dual-community strategy depicted in Fig. [9] for in¬ 
stance, involves a trade-off. The advantage of the con¬ 
figuration is that it strongly protects computer number 
8, which can be used to store the critical information. 
Unfortunately, this also reveals the likely location of 
the critical information to the opposing player! A 
more “flat” and network topology would have the 
advantage of more effectively disguising the location 
of the critical information. Such deception is heavily 
studied in the area of security in general (T3lL lH~4l . 
m . and is especially important in cybersecurity ed, 
El In terms of game theory, choosing a flat topology 
amounts to preferring information asymmetry to brute 
force. 

Information asymmetry is also important in se¬ 
lecting attack strategies. Initially, an attacking player 
has no knowledge of her opponent’s allocation of 
defensive packages. She has the option to use initial 
attacks primarily as “scouts” in order to ascertain the 
allocation of defense packages. Of course, this may 
involve sacrificing the turns that it takes to regenerate 
attacks. We are excited to see how players develop 
strategies that leverage these concepts - possibly with¬ 
out explicit knowledge of the scholarship behind them. 

IV. Playtesting 

The initial target audience of Protection and De¬ 
ception ( P&G ) was any person over the age of six. 
The game was tested out among various ages ranging 
from ages six to 21 years old. The testers were from 
two groups. The first was a combination of children 
who frequented a community center located in the 
Lower East Side of Manhattan, New York. The second 


consisted of mostly college students. Our initial tests 
at the community center were conducted with four 
children. 

We initially considered implementing structured 
pre- and post-play surveys that would have enabled 
statistical analysis. Encouraged, however, by advice 
from the educational community, we eventually opted 
for less structured observation that would not discour¬ 
age students. Essentially, we collected evidence by 
open-ended observation. 

Questions to the children before the game lasted 
no more than five minutes per player. We asked the 
players their age, what they know about cyber secu¬ 
rity, what academic subject they preferred, and what 
interests they pursued outside of school. The questions 
about favorite subject and interest were a means to 
figure out their backgrounds. We had children who 
were interested in math, science, basketball, painting, 
and other activities. These children at the community 
center did not have any explicit knowledge about 
cybersecurity. We asked whether they had heard of 
“hackers,” but they had not. We also tested the game 
with two high school students, one of which expressed 
interest in business and another in engineering. Fi¬ 
nally, our second pool of testers were college students 
looking to pursue careers in the fields of engineering, 
medical, and art. 

In the post-survey, all players were asked what 
they learned about cyber security, what they liked and 
disliked about the game. One 7-year old girl from the 
community center said, “I like the cards the most.” 
A 10-year old boy said, “I forgot which card I put 
down for the different computers” - which indicated 
to us an aspect of the board design that we can 
improve so that it is obvious which attack and defense 
cards have been allocated to each computer. A 20- 
year old college student studying medicine had a brief 
understanding about cybersecurity before the game, 
but after playing “learned how different attacks such 
as the worm worked and learned about cyber attacks 
that I didn’t’t know existed like masquerading.” A 17 
year old in high school who expressed an interest in 
business said he would play the game if more of his 
friends knew about the game and how to play. He was 
asked a follow-up question if there was anything in the 
game he wanted to learn more about. He said he plays 
video games on his PlayStation 4 console a lot and 
realized he “had an experience of denial of service 
when a group of hackers took down the PlayStation 
online network and I could not log on or use the 
network for a few days.” We were encouraged by this 
rather comical realization that cybersecurity concepts 
are especially embedded in non-academic activities. 

For all age groups, the instructions seemed rather 
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complex; many times during the game, players would 
ask the testers whether moves were legal or ask 
about the results of particular actions. Importantly, we 
learned that it was helpful to follow the instructions 
with a quick demonstration of the game play. This 
adjustment in our introduction of the game decreased 
the difficulty of learning, although did not remove the 
learning curve completely. Based on this expressed 
difficulty, we are considering including video instruc¬ 
tion or other means to make the game easier to learn. 


We describe these briefly in Section VI 


Finally, we noted that the game seemed enjoyable 
to players once the rules became clear. Players were 
excited when their attack successfully destroyed a 
computer or when their computers successfully re¬ 
pelled the opponent’s attacks. Among the older play¬ 
ers, we noted a competitiveness that emerged from the 
freedom allowed to choose different strategies. From 
observing the various age groups, it appeared that the 
testers that were around or over the age of 13 enjoyed 
the game the most. We will seek a much larger subject 
pool for further testing in order to refine the target age 
for P&G. 


V. Related Work 

In the introduction, we described various classes of 
games from which Protection and Deception (P&G) 
derives its framework. Namely, P&G is a serious game 
- a game which teaches concepts which have actual 
value outside of serving the entertainment purpose of 
the game. P&G aims to build cyber literacy, as well as 
to implicitly teach about trade-offs between strength 
and information revelation. Furthermore, P&G rep¬ 
resents an effort in the vast category of security 
education, a critical area of study in the light of intense 
regional and international conflicts in cybersecurity. 
Finally, P&G builds upon a tradition of games-based 
learning. 

We can see similarities to P&G in at several recent 
games. From last year’s 3GSE, Microsoft’s Elevation 
of Privilege m is a card game based on concepts 
from information security with a fascinating purpose: 
it is played between developers in order to discover 
security flaws of a system. Elevation of Privilege is an 
example of gamification, since it employs motivations 
from game-playing for a serious task. Developers in 
this game draw cards which prompt them to name 
vulnerabilities, and thereby accomplish a technical ob¬ 
jective. Elevation of Privilege is obviously not geared 
towards a novice population. 

Control-Alt-Hack HD is a card game from 3GSE’ 14 
which is geared towards a novice population. This 
game seeks to give participants an social experience 


related to hacking, rather than teaching specific con¬ 
cepts. The network security game called [d0x3d!] 0 
is also a similar effort to ours. It is a board game 
with changeable configuration achieved by tiles which 
are arranged at the beginning of gameplay. Players 
in [d0x3d!] deploy special abilities on their way to 
collecting digital resources (“[loot]”). Both games are 
attractively designed, and represent efforts to intel¬ 
ligently deploy and commercialize or test security 
games. They both use existing games re-skinned in 
cybersecurity concepts and terminology, whereas our 
game is an entirely new design. 

Control-Alt-Hack and [d0x3d!] both seem to feature 
a higher degree of security vocabulary than P&G. 
Indeed, P&G represents an effort to reach out to 
non-technical, underrepresented, and young players. 
We are concerned not only about players who may 
not have the technological background to understand 
security concepts, but also players who may not have 
the attention span to learn a complicated game. In 
our own play testing, we observed that even with 
the simple mechanics of our game, there was some 
learning curve. Thus, we aim to keep the security 
lexicon in P&G to a minimum. This will help us 
achieve the goal of engaging a diverse population in 
security awareness. 

VI. Conclusions and Future Work 

Our initial work on Protection and Deception 
(P&G) opens up vast possibilities for future develop¬ 
ment. In terms of basic elements of gameplay, we have 
considered several options. First of all, the connection 
between security challenges and economic questions 
has been extensively noted in the literature Col, 02, 
ED . Because of this, we are considering incorporating 
money or budgeting resources into the gameplay. 
We are also considering allowing players to elect to 
build up their LAN capabilities instead of deploying 
attacks. This trade-off pits myopic against farsighted 
strategies, and allows implicitly teaching the present 
value of future rewards. Finally, we have noted that 
a visual demonstration of play seemed to lower the 
learning curve for our participants. Because of this, 
we are considering deploying video instructions online 
that can be used to learn the game. On the more 
extreme end, the entire game could be digitized, or 
a hybrid board game and digital game combination 
could be considered. 

In its present version, P&G is a board game de¬ 
signed to engage young, non-technical, and under¬ 
represented players in the world of cyber security. 
P&G features a completely new design which relies 
on probabilistic simulation to ensure fair gameplay. 
The game offers three major contributions. First, by 



exposing participant to various types of cyber-attacks 
such as denial of service and masquerading attacks , 
it builds cyber literacy in an inviting way. Second, it 
teaches aspects of game theory such as information 
asymmetry and deception implicitly. Finally, P&G 
engages players with little or no previous introduc¬ 
tion to cybersecurity. Indeed, we conducted an initial 
set of tests with such a population at a community 
center in the Lower East Side of Manhattan, New 
York. Encouraged by these initial results, we hope to 
continue to improve P&G so that it can contribute 
to the important and vast contemporary challenge of 
cybersecurity education. 
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